Versioning, Aliases, and
Resource Policies

With versioning and aliases you can access a Lambda function using various ARNs. For
example, consider the following scenario:

You can invoke for example the helloworld function version 1 using any of the
following two ARNs:

Using the qualified function ARN:

Copy

arn:aws:lambda:aws-region:acct-id:function:helloworld:1

Note

An unqualified function ARN (function ARN without a version or alias suffix), maps
to
the $LATEST version.

Using the BETA alias ARN:

Copy

arn:aws:lambda:aws-region:acct-id:function:helloworld:BETA

In a push model, event sources (such as Amazon S3 and custom applications)
can invoke any of the Lambda function versions as long you grant the necessary
permissions to these event sources by using an access policy associated with the
Lambda
function. For more information about the push model, see Event Source Mapping.

Assuming that you grant permission, the next question is, "can an event source invoke
a function version using any of the associated ARNs?" The answer is, it depends
on how
you identified function in your add permissions request (see AddPermission). The key to
understanding this is that the permission you grant apply only to the ARN used
in the
add permission request:

If you use a qualified function name (such as helloworld:1), the permission
is valid for invoking the helloworld function version 1
only using its qualified ARN (using any other ARNs will
result in a permission error).

If you use an alias name (such as helloworld:BETA), the
permission is valid only for invoking the helloworld function using
the BETA alias ARN (using any other ARNs will result in a permission error,
including the function version ARN to which the alias points).

If you use an unqualified function name (such as helloworld), the
permission is valid only for invoking the helloworld function using
the unqualified function ARN (using any other ARNs will result in a permission
error).

Note

Note that even though the access policy is only on the unqualified
ARN, the code and configuration of the invoked Lambda function is still
from function version $LATEST. The unqualified function ARN maps to
the $LATEST version but the permissions you add are ARN-specific.

If you use a qualified function name using the $LATEST version
(helloworld:$LATEST), the permission is valid for invoking the
helloworld function version $LATESTonly
using its qualified ARN (using unqualified ARN will result in a permission
error).